Hi Randy,

Thanks for your quick reply. I have already enabled "Allow Local LAN Access" on the Cisco VPN client on our local desktops (see 2rd screenshot), and I also added the static routing entries of local networks on local desktops. But it's not working. We do NOT have any control on the partner or ASA firewall.

We also have many other partners in our orgnization. Some of the partners are using Juniper or Microsoft remote access VPN solution. That means some of our local desktops are using Juniper/Microsoft VPN client to connect to these partners by remote access VPN. These partners have also enabled the default gateway on remote network by default. But we do be able to access our local networks by adding the static routing entries of our local networks on our local desktops (e.g. by DHCP option 249 on our local DHCP servers).

In addtional, we have not only one subnet in our local network, but multiple subnets. For example, the desktops are in the local subnet 192.168.1.0/24, but the desktops require to access the server subnet 192.168.0.0/24 for local Domain Controller/print server/etc access while the Cisco VPN client is conneted. I tried to add the static routing entrie for 192.168.0.0/24 on the local desktops, but it's not working. All the traffic went via the VPN tunnel.

Regards,
Jun Gao

Hi Jun, 

As the document point, you need to configure the Local LAN access on the ASA as well with an "exclude-specify" policy under the group-policy. Otherwise the checkbox on the VPN client won't take effect.

A friendly reminder this VPN client is currently out of support and is not compatible with Windows 8 or 10.

http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html

-Randy-

Hi Randy,

First of all, thank you very much for your quick reply again. Actually I did check that document. But we do not have any controls on the ASA firewall which is managed by our partner. This is an internal requirement inside our orgnization. It's IMPOSSIBLE to talk with our partner to configure an "exclude-specify" policy on their end for whatever reasons. I'm asking the question here to look for a workaround on our local desktops instead of a solution on our partner's firewall. Actually we have many partners in our orgnization, and we have the workaround with other VPN solutions (e.g. Juniper/Microsoft) for other partners. That means, we can add the static routing entries of our local subnets (e.g. DHCP option 249) on our local desktops to access our local networks as a workaround while we use Juniper or Microsoft VPN client.

Thanks very much for your reminding. We can upgrade the VPN client to the laster version like Cisco AnyConnect. But could this fix my issue?

Thanks,
Jun Gao

Hi Jun, 

This seems to be hard to accomplish due to the limitations of the management part.

 If you could give  a try to the Anyconnect client , specially if you're using Windows 8 or 10. 

Among that, it seems unfortunately we might be hitting a roadblock here for this set up. 

Cheers, 

-Randy-

Hi Randy,

Thanks again for your reply. Let me try the latest AnyConnect on the desktops and also try Windows 8 or 10 on a testing machine if I can have the chance. Hope it will work out.

Regards,
Jun Gao

Hi Randy,

I had installed Windows 10 with the latest AnyConnect and I was going to connect to the VPN. However, the AnyConnect was asking me for second username & password. What is it? I never saw it on Cisco Systems VPN Client in the past. I only saw the VPN client asked me for username and passcode. I tried the same username & passcode, but it didn't work.

Thanks,
Jun Gao